Grafana Public Dashboard Query DoS via Unbounded JSON Size
CVE-2026-42127 Published on June 22, 2026
Grafana pre-auth DoS through arbitrarily large input to public dashboard query handler
The public dashboard query endpoint does not limit request body size before processing, allowing unauthenticated attackers to trigger excessive memory allocation by sending arbitrarily large JSON payloads. This can lead to denial of service through memory exhaustion. No valid dashboard access token or authentication is required to exploit this vulnerability.
Weakness Type
Allocation of Resources Without Limits or Throttling
The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.
Products Associated with CVE-2026-42127
Want to know whenever a new CVE is published for Grafana Labs Grafana? stack.watch will email you.
Affected Versions
Grafana Enterprise:- Before and including 11.6.14 is affected.
- Before and including 12.2.8 is affected.
- Before and including 12.3.6 is affected.
- Before and including 12.4.3 is affected.
- Before and including 13.0.1 is affected.
- Version 11.6.0, <= 11.6.14 is affected.
- Version 12.2.0, <= 12.2.8 is affected.
- Version 12.3.0, <= 12.3.6 is affected.
- Version 12.4.0, <= 12.4.3 is affected.
- Version 13.0.0, <= 13.0.1 is affected.